1. Technical Field
The present invention relates generally to an Intrusion Detection System (IDS) false positive detection apparatus and method. More particularly, the present invention relates to an IDS false positive detection apparatus and method, which are intended to improve the true positive efficiency of an IDS used to detect and cope with intrusion behavior when an intrusion behavior threatening the security of an information protection system occurs upon performing cyber security control and information protection tasks, and which detect known intrusion behavior based on intrusion behavior data (rule-based or knowledge-based data) using a misuse detection technique.
2. Description of the Related Art
Generally, security control and information protection tasks are configured to perform procedures for identifying true positive events causing cyber threat actions via the analysis of the header and payload of network packet data among pieces of security event detection information detected by an IDS.
However, 99% or more of security events are false positive events rather than true positive events causing cyber threat actions. Actions, which are conducted by an information protection manager and a security control analyzer and which analyze packet data information within such security events and then detect true positive events from a large number of false positive events, consume a lot of time and effort, consequently delaying the time to cope with actual intrusion incidents.
In order to solve such a problem, a plurality of methods for reducing false positive events, by optimizing the detection rules of an IDS, have been presented, but it is difficult to apply typical detection rule optimization methods because operation environments differ from each other between respective IDSs.
Therefore, when intrusion behavior threatening the security of an information protection system occurs upon performing cyber security control and information protection tasks, there is required an IDS false positive detection apparatus and method which detect known intrusion behavior based on intrusion behavior data (rule-based data or knowledge-based data) using a misuse detection technique in order to improve the true positive efficiency of an IDS used to detect and cope with such intrusion behavior.
Thus, the present invention uses a method of collecting and learning IDS detection rules and data about the payloads of false positive events via a continuous true positive and false positive identification learning procedure, based on pure payload parts other than the header parts of packet data identified as false positive events, among pieces of network packet data within a large number of security events detected by the IDS.
By means of a procedure for learning the results of collection and analysis of payload data within false positive events, the present invention automatically compares packet data within subsequently detected security events with the learned results, and provides the determination of whether pieces of payload data are identical or similar to each other. Thus, true positive events that will be cyber threats to an information protection manager and a security control analyzer, or security events having strong possibility of being true positive events are selectively displayed, thereby shortening the time required to analyze security events for intrusion behavior conducted over a network and improving a true positive rate for security events.
Further, there is proposed a method for facilitating the identification of IDS detection rules in which a rate at which events are detected as false positive events is high and thus making it also possible to optimize IDS detection rules. As related technology, there is Korean Patent Application Publication No. 10-2006-0005719.